Listen to this Post
The vulnerability resides in the path resolution logic of the Serve Static Middleware configured for the Cloudflare Workers adapter. When processing an incoming HTTP request for a static asset, the middleware takes the user-supplied URL path and directly uses it to form a lookup key for the Workers asset storage (e.g., env.ASSETS.fetch(request)). It fails to properly sanitize or restrict this path, allowing sequences like `../../../` or other path traversal payloads. An attacker can craft a request like `GET /static/../../../WRONG_KEY` which, when naively concatenated or resolved, bypasses the intended directory scope. The constructed key is then used to fetch from the asset namespace, which may contain internal, non-public keys. This results in the server returning assets associated with the attacker-chosen key, leading to unauthorized information disclosure of any readable asset within the same storage bindings, without the ability to write or execute code.
Platform: Cloudflare Workers
Version: Adapter Middleware
Vulnerability: Path Traversal
Severity: Medium
date: 2024-10-XX
Prediction: 2024-11-15
What Undercode Say:
curl -v “https://target.workers.dev/static/../../../env_config.json”
Attempts to traverse to parent directories in asset key namespace.
cat > probe_paths.txt << 'EOF'
../ASSETS
../../KEY
…/./config
EOF
while read path; do curl -s “https://target.workers.dev/static/$path”; done
Exploit:
Craft malicious path traversal requests to access keys like ../PRODUCTION_API_KEY, ../../config/internal.json. Automated scanning for directory traversal in the `/static/` endpoint.
Protection from this CVE
Update middleware. Implement strict path validation, normalize and restrict to intended subdirectory, use allowlists for allowed keys, sanitize user input before key formation.
Impact:
Information disclosure of internal asset keys and files stored in Workers asset storage, potentially exposing configuration, secrets, or non-public data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

